neutron

Security Groups don't support protocol 4 (ip-in-ip) and returns 500

Bug #1716045 reported by German Eichberger
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Brian Haley

Bug Description

When trying to create a security group with protocol 4 Neutron returns 500:

stack@octavia:~/devstack$ openstack security group rule create --protocol 4 b30911a1-558c-41fe-89fd-915c0da030cf
Error while executing command: Internal Server Error (HTTP 500) (Request-ID: req-d1e3eb48-0799-4c7b-b4ac-36501c221842)

I tried this on devstack so it should be pretty easy to reproduce. Ideally I would like to see IP-in-IP supported but a better error message might be a first step.

Revision history for this message
Brian Haley (brian-haley) wrote :

The actual error is:

  ValueError: Field value 4 is invalid

Which is most likely due to the fact that we're validating againt IP_PROTOCOL_MAP from neutron-lib, which doesn't include IP, just upper-layer protocols.

A fix for IP-in-IP, or more generally, IPvX-in-IPvX, would take an investigation to determine what the iptables and OVS support is for it and how to program it into the ruleset. We'd also have to check that conntrack supports it.

Changed in neutron:
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Brian Haley (brian-haley) wrote :

I marked this Wishlist just because it's maybe not as simple as tweaking the allowed IP protocol list to make it work.

Revision history for this message
Michael Johnson (johnsom) wrote :

This is a bug as it is documented that neutron supports 0-255 for the protocol integer. We also have a liberty cloud were it works, so this might be a regression.

Changed in neutron:
importance: Wishlist → High
Revision history for this message
Michael Johnson (johnsom) wrote :

It should not be returning 500 either, it should be a 400 if it was an invalid parameter.

Attaching the stacktrace.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.openstack.org/503198

Changed in neutron:
assignee: nobody → German Eichberger (german-eichberger)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/511561

Changed in neutron:
assignee: German Eichberger (german-eichberger) → Brian Haley (brian-haley)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/511561
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b
Submitter: Zuul
Branch: master

commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (master)

Reviewed: https://review.openstack.org/503198
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=f4c4b0f20a796caf2133f6029ca3455382cd50ad
Submitter: Zuul
Branch: master

commit f4c4b0f20a796caf2133f6029ca3455382cd50ad
Author: German Eichberger <email address hidden>
Date: Tue Sep 12 15:18:46 2017 -0600

    Adds IPinIP protocol

    Neutron doesn't support the IP-in-IP protocol by name in
    security group rules. With this change a user can now
    declare the IP-in-IP protocol by using the name 'ipip'

    Note: This doesn't fix an underlying problem
    with the Neutron protocol number validator, but
    serves as a work around for users wanting to use
    the IP-in-IP protocol.

    Partial-bug: #1716045

    Change-Id: I18e5e42b687e12b64f5a9c523a912c8dd1afa9d2

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b2

This issue was fixed in the openstack/neutron 12.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/532188

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/532460

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/532188
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d16f69b3ae925bc4f48f75c84798a8fe2198aa2e
Submitter: Zuul
Branch: stable/pike

commit d16f69b3ae925bc4f48f75c84798a8fe2198aa2e
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790
    (cherry picked from commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/532460
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8442a144a230964ee88cfee43927eb1b1c94ee03
Submitter: Zuul
Branch: stable/ocata

commit 8442a144a230964ee88cfee43927eb1b1c94ee03
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790
    (cherry picked from commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.5

This issue was fixed in the openstack/neutron 10.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.3

This issue was fixed in the openstack/neutron 11.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.